Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Overview

caddy-security

Security App and Plugin for Caddy v2. It includes:

  • Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
  • Authorization Plugin for HTTP request authorization based on JWT/PASETO tokens
  • Credentials Plugin for managing credentials for various integrations

Please show your appreciation for this work and

Please consider sponsoring this project!

Please ask questions either here or via LinkedIn. I am happy to help you! @greenpau


⚠️ Please open an issue if you need help migrating configurations from caddy-auth-portal and caddy-authorize (aka caddy-auth-jwt).


Documentation: authp.github.io

Security Policy: SECURITY.md

Please see other plugins:

Table of Contents

Overview

The caddy-security app allows managing authentication portal, authorization security policy and credentials. The plugin enforces the security policy on endpoints with authorize keyword and serves authentication portal with authenticate keyword.

The app and plugin use Authentication, Authorization, and Accounting (AAA) Security Functions (SF) from github.com/greenpau/aaasf.

Getting Started

The configuration happens in Caddy's global options block.

  • Setting Up Local Authentication: Video and Config Gist
  • Login with App Authenticator and Yubico U2F: Video

Download Caddy with the plugins enabled:

Credentials

The following configuration adds SMTP credentials to security app. Subsequently, the app and plugin will be able to use the credentials.

{
  security {
    credentials email smtp.outlook.com {
      address outlook.office365.com:993
      protocol smtp
      username {env.SMTP_USERNAME}
      password {env.SMTP_PASSWORD}
    }
  }
}

Authentication

The following configuration adds authentication portal.

{
  security {
    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify {env.JWT_SECRET}
      backend local {env.HOME}/.local/caddy/users.json local
      cookie domain myfiosgateway.com
      ui {
        links {
          "My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
          "My Identity" "/whoami" icon "las la-user"
        }
      }
      transform user {
        match origin local
        action add role authp/user
        ui link "Portal Settings" /settings icon "las la-cog"
      }
    }
  }
}

auth.myfiosgateway.com {
  authenticate * with myportal
}

Authorization

The following configuration adds authorization functionality and handlers.

{
  security {
    authorization policy mypolicy {
      set auth url https://auth.myfiosgateway.com/
      crypto key verify {env.JWT_SECRET}
      allow roles authp/admin authp/user
    }
  }
}

www.myfiosgateway.com {
  authorize with mypolicy
  root * {env.HOME}/public_html
  file_server
}

User Interface

User Login

Portal

User Identity (whoami)

User Settings

Password Management

Add U2F Token (Yubico)

Add Authenticator App

Multi-Factor Authentication

Issues
  • nginx style Forward Auth example.

    nginx style Forward Auth example.

    Hello. https://github.com/caddyserver/caddy/issues/2894 is closed citing this project's existence. Nginx' auth_request directive (https://nginx.org/en/docs/http/ngx_http_auth_request_module.html) works with a simple HTTP response code. Is this kind of functionality available? If yes, can you please direct me to the relevant documentation.

    Another question while we're at it. It seems caddy-security is now a single module that includes the former authorize and portal components. Is it still possible to build it without the portal for people who already have an external authentication system in place?

    question oauth 
    opened by xpufx 50
  • question: How do roles work now

    question: How do roles work now

    Previously utilizing caddy-authorize, this line for roles worked

    allow roles User Admin

    How would this be implemented in caddy-security, the docs don't seem to be updated yet. The repo's description includes this snippet, allow roles authp/admin authp/user, but am unsure how to implement this in my existing Caddyfile, specifically I am using organizr's jwt, https://docs.organizr.app/features/server-authentication

    bug question migration authorization 
    opened by MVethana 43
  • What JWKS key types are supported in the generic OAuth2 backend?

    What JWKS key types are supported in the generic OAuth2 backend?

    New to Caddy, new to OAuth & OIDC so brace yourselves. I'm trying to add OAuth/OIDC authentication to a site. I'm using this config file as a reference. Things are going ok to start with, here's where (I think) I'm at:

    1. It looks like Caddy is hitting my metadata_url and finding the jwks_uri field.
    2. Once it hits the jwks_uri, it appears to be reading the first key in the array whose kty (key type) is EC.
    3. Then I get this message and exit with code 1:

    provision security: backend configuration for "myportal" portal failed: failed to fetch jwt keys for OAuth 2.0 authorization server: invalid jwks key: unsupported key type EC for <my_key>

    where <my_key> is the EC key found at the jwks_uri. So my questions are:

    1. Is the EC kty (keytype) supported?
    2. If not, can I direct Caddy to use another key from the jwks_uri?
    3. Have I misunderstood this completely?
    oauth feature 
    opened by irishismyname 42
  • `auth provider returned error, user authorization failed` being spammed in Caddy log

    `auth provider returned error, user authorization failed` being spammed in Caddy log

    Describe the issue I'm trying to migrate my config over to Caddy Security, and I think I have most things working now, but I'm getting this message constantly spammed in Caddy's log:

    {"level":"error","ts":1642791051.2186432,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed"}
    

    The interesting thing is, it doesn't seem to affect the functionality, because I'm able to login just fine.

    Configuration

    { # Global configuration
        acme_dns cloudflare REDACTED
        email REDACTED
        order authorize before reverse_proxy
        order authenticate before authorize
        security {
            credentials email smtp.sendgrid.net {
                address smtp.sendgrid.net:587
                protocol smtp
                username {env.SMTP_USERNAME}
                password {env.SMTP_PASSWORD}
            }
            authentication portal myportal {
                crypto default token lifetime 3600
                # crypto key sign-verify {env.JWT_SECRET}
                backend local /etc/caddy/auth/local/users.json local
                        cookie domain haddock.cc
                ui {
                    links { # Icons here -> https://icons8.com/line-awesome
                        "Cloud" https://cloud.haddock.cc icon "las la-cloud"
                        "Media" https://media.haddock.cc icon "las la-photo-video"
                        "Get TV Shows" https://tv.haddock.cc icon "las la-tv"
                        "Get Movies" https://movies.haddock.cc icon "las la-video"
                    }
                }
                transform user {
                    match origin local
                    action add role authp/user
                    ui link "Portal Settings" /settings icon "las la-cog"
                }
            }
            authorization policy mypolicy {
                set auth url https://auth.haddock.cc/
                allow roles authp/admin authp/user
            }
        }
        # }
        # crowdsec {
        #     api_url http://crowdsec:8180/
        #     api_key REDACTED
        #     ticker_interval 15s
        # }
    }
    
    auth.haddock.cc {
        authenticate * with myportal
    }
    
    cloud.haddock.cc {
        authorize with mypolicy
            reverse_proxy nextcloud:80 {
            header_down Strict-Transport-Security "max-age=15552000; includeSubDomains"
        }
        rewrite /.well-known/carddav /remote.php/dav
        rewrite /.well-known/caldav /remote.php/dav
    }
    
    media.haddock.cc {
        authorize with mypolicy
        reverse_proxy jellyfin:8096
    }
    
    indexers.haddock.cc { # Prowlarr
        authorize with mypolicy
        reverse_proxy prowlarr:9696
    }
    
    tv.haddock.cc { # Sonarr
        authorize with mypolicy
        reverse_proxy sonarr:8989
    }
    
    movies.haddock.cc { # Radarr
        authorize with mypolicy
        reverse_proxy radarr:7878
    }
    
    localhost:8112 { # QBittorrent
        reverse_proxy torrent:8080
    }
    

    Version Information

    crowdsec v0.2.0
    dns.providers.cloudflare v0.0.0-20210607183747-91cf700356a1
    http.authentication.providers.authorizer v1.0.1
    http.handlers.authenticator v1.0.1
    http.handlers.crowdsec v0.2.0
    layer4 v0.0.0-20201230212151-6587f40d4eb6
    layer4.matchers.crowdsec v0.2.0
    layer4.matchers.ip v0.0.0-20201230212151-6587f40d4eb6
    security v1.0.1
    

    Expected behavior The Caddy log isn't filled up with the error.

    bug 
    opened by poperigby 33
  • feature: Nextcloud OIDC support

    feature: Nextcloud OIDC support

    This is a continuation of https://github.com/greenpau/caddy-auth-portal/issues/227#. I think it would be a useful feature to be able to login to Nextcloud with Caddy Security account, and for Caddy Security to automatically create new Nextcloud users based on Caddy Security users. This can be done with OIDC, correct?

    oauth feature oidc oauth-nextcloud 
    opened by poperigby 30
  • question: Email setup

    question: Email setup

    Trying to get email working for user registration. I do not see any errors in the logs, but get email error when a user tries to register. Below is the relevant config I am using. Guessing I don't quite have the config correct, but not sure what I am missing.

    	security {
    		credentials [email protected] {
    			username [email protected]
    			password <app_passowrd>
    		}
    		messaging email provider gmail {
    			address smtp.gmail.com:587
    			protocol smtp
    			credentials [email protected]
    			sender [email protected] "My Auth Portal"
    		}
    		authentication portal myportal {
    			enable source ip tracking
    			cookie lifetime 86400
    			crypto default token lifetime 3600
    			crypto key sign-verify <redacted>
    			cookie domain mydomain.net
    			backend local /config/caddy/users.json local
    			transform user {
    				match roles registered
    				require mfa
    			}
    			registration {
    				dropbox /config/caddy/registrations.json
    				title "User Registration"
    				code "Test"
    				require domain mx
    				email provider gmail
    			}
    ...
    
    question need triage 
    opened by samcro1967 26
  • question: skip kid ckeck option?

    question: skip kid ckeck option?

    A clear and concise description of what you want to accomplish.

    I am trying to authenticate to an (apparently) broken oauth2 server which does not provide the kid in the id_token.

    The error in the logs is this:

    {"level":"warn","ts":1647959353.70759,"logger":"security","msg":"Authentication failed","session_id":"lbcuPQRrdw8Sdwi7jCuohVyiLsViBe8wXoPGY0zsGrylm","request_id":"759dd92c-3464-4568-9dc8-6e90ffd6b93b","error":"failed validating OAuth 2.0 access token: OAuth 2.0 failed to parse id_token: OAuth 2.0 kid not found in id_token"}
    

    I have verified the id_token (by enabling debug in the caddy config), it does not contain the kid - see the id_token header below:

    {
      "typ": "JWT",
      "alg": "RS256"
    }
    

    PS: Github and gitlab configurations are working just fine, but I do get the kid in their id_token. PPS: I also had a look on #48 and tried required_token_fields access_token with no luck. I get the same error.

    oauth 
    opened by teodorescuserban 25
  • breakfix: Access token set without expiry, still gets 401, and doesn't redirect to provided auth url

    breakfix: Access token set without expiry, still gets 401, and doesn't redirect to provided auth url

    Describe the issue

    After logging in at https://auth.MYDOMAIN.com, the auth portal sets a cookie without a Max-Age or expires attribute set, meaning it only lives as long as the session. Example set-cookie header in the response of /oauth2/github/authorization-code-callback?code=OAUTH_CODE... after logging in with github:

    set-cookie: access_token=eyJhbGciOiJI....; Domain=MYDOMAIN.com; Path=/; Secure; HttpOnly;
    

    Also, the access token itself doesn't seem to work at all with my current configuration, and I get a 401 on the example domain of this config https://sonarr.MYDOMAIN.com, with error logs like:

    {"level":"debug","ts":1642792571.8178122,"logger":"security","msg":"token validation error","session_id":"cO9Fu3cuNuNg5ufIugXgZphXU5MSzEFhfByBX0ojPb8","request_id":"26a2f6a9-51fb-4be8-92ac-85f40eefbfd5","error":"token validator: invalid token: keystore: failed to parse token"}
    {"level":"error","ts":1642792571.8178322,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed"}
    

    and it just redirects to https://sonarr.MYDOMAIN.com/?redirect_url=https%3A%2F%2Fsonarr.MYDOMAIN.com%2F, rather than redirecting to https://auth.MYDOMAIN.com as I'd expect.

    My very very similar config previously using caddy-authorize and caddy-auth-portal worked fine, I've basically just moved around the attributes to be inline with how the new config format looks, and I used the jumpcloud config as my example.

    Configuration

    {
            debug
            order authorize before basicauth
            email {$CF_EMAIL}
            auto_https ignore_loaded_certs
    
            security {
                    authentication portal mainportal {
                            crypto default token lifetime 2419200
                            crypto key sign-verify {$CADDY_AUTH_TOKEN_SECRET}
                            cookie domain {$DOMAIN}
                            backend local {$CADDY_AUTH_USERS_PATH} local
                            backend github {$CADDY_GITHUB_OAUTH_CLIENT_ID} {$CADDY_GITHUB_OAUTH_CLIENT_SECRET}
                            transform user {
                                    exact match sub github.com/johnpyp
                                    action add role authp/admin
                                    action add role superadmin
                            }
                            transform user {
                                    match email [email protected]
    
                                    action add role authp/admin
                                    action add role superadmin
                            }
                    }
    
                    authorization policy mainpolicy {
                            set auth url https://auth.{$DOMAIN}
                            allow roles admin superadmin authp/admin
                            crypto key verify {$CADDY_AUTH_TOKEN_SECRET}
                    }
            }
    }
    
    (cf_tls) {
            tls {
                    issuer zerossl {
                            resolvers 1.1.1.1
                            dns cloudflare {$CF_API_TOKEN}
                    }
            }
    }
    
    auth.{$DOMAIN} {
            import cf_tls
            route {
                    authenticate * with mainportal
            }
    }
    
    (protected_route) {
            {args.0}.{$DOMAIN} {
                    import cf_tls
                    authorize with mainpolicy
                    route {
                            reverse_proxy {args.1}
                    }
            }
    }
    
    import protected_route sonarr sonarr:8989
    // ...
    

    Version Information

    Should be latest everything, just pulled a few minutes ago with this docker image:

    FROM caddy:2-builder AS builder
    
    RUN xcaddy build \
        --with github.com/greenpau/caddy-security \
        --with github.com/caddy-dns/cloudflare
    
    FROM caddy:2
    
    COPY --from=builder /usr/bin/caddy /usr/bin/caddy
    
    bug authorization 
    opened by johnpyp 18
  • question: inject headers from userinfo object

    question: inject headers from userinfo object

    @greenpau, thank you for your awesome work!

    Everything seems to be working correctly talking to a quaint oauth2 server.

    To have a complete and useful setup, there is one piece of the puzzle that is left for me and that is how do I inject custom headers to downstream from the userinfo object.

    And of course, I would really like to be able to use those details in the caddy auth policies.

    In my setup I currently use vouch to get additional information from the userinfo object.

    I have attempted inject header "X-Custom-Projects" from projects with no success (I get no error either, but I don't seem to get the new header).

    I do see two additional headers when I add inject headers with claims to the config, unfortunately that is not quite enough for my setup.

    Also inject header "X-Custom-Roles" from roles works (although I get the caddy-secutiry roles, not the ones in the userInfo object).

    Below is an example of userInfo:

    {
        "sub": "37",
        "email": "[email protected]",
        "email_verified": true,
        "name": "john.doe.developer",
        "preferred_username": "john.doe.developer",
        "zoneinfo": "Europe\\/Berlin",
        "profile": {},
        "display_name": "John Doe",
        "groups": [
            "PROJ1",
            "PROJ2",
            "PROJ3",
            "mailhog",
            "snapshots",
            "developer:dev-004",
            "developer:mailhog",
            "developer:snapshots",
            "developer:PROJ1",
            "developer:PROJ2",
            "developer:PROJ3"
        ],
        "departments": [
            "DEPT1"
        ],
        "projects": [
            "PROJ1",
            "PROJ2",
            "PROJ3",
        ],
        "services": [
            "dev-004",
            "mailhog",
            "snapshots"
        ],
        "roles": [
            "authenticated",
            "nomfa"
        ]
    }
    
    question need triage 
    opened by teodorescuserban 17
  • feature: LDAP support for GLAuth schema

    feature: LDAP support for GLAuth schema

    Thank you for this awesome project, unfortunately I am having some issues with getting it to run with an LDAP backend:

    Describe the issue

    An attempt to log in over Caddy Security with an LDAP backend consisting of glauth-ui for management and glauth (https://github.com/glauth/glauth) as the LDAP provider fails with right credentials. The credentials were succesfully used by other means of connecting to glauth

    Configuration

    Paste full Caddyfile below:

    (Domain names and unrelated services cut out)

    {
      acme_ca https://acme-v02.api.letsencrypt.org/directory
      email   [...]
      debug
    
      security {
        authentication portal myportal {
          crypto default token lifetime 3600
          crypto key sign-verify [...]
           
          backends {
            ldap_backend {
              method ldap
              realm [...]
              servers {
                ldap://login_system_glauth_1:389 ignore_cert_errors posix_groups
              }
              attributes {
                name givenname
                surname sn
                username name
                #member_of primarygroup #memberOf
                email mail
              }
              username "CN=[...],DC=[...],DC=[...],OU=[...]"
              password "[...]"
              search_base_dn "DC=[...],DC=[...],OU=[...]"
              search_filter "(|(name=%s)(mail=%s))"
              groups {
                "CN=people,OU=[...],DC=[...],DC=[...]" people
                "CN=5501,OU=[...],DC=[...],DC=[...]" people2
              }
            }
          }
    
          cookie domain [...]
          ui {
            links {
              "My Website (super secret)" [...]/foo
              "My Identity" "/whoami"
            }
          }
        }
    
        authorization policy mypolicy {
          set auth url /auth/
          crypto key sign-verify [...]
          allow roles people people2
        }
      }
    }
    
    [...]:443/* {
      #Protected super secret part of website
      redir /foo /foo/
      handle_path /foo/* {
        route {
          authorize with mypolicy
        }
        respond * "foobar website" 200
      }
    
      handle {
        route /auth* {
          authenticate * with myportal
        }
    
        #unprotected landing page
        reverse_proxy nginx:80
      }
    }
    

    Version Information

    Provide output of caddy list-modules -versions | grep git below:

    Caddy version is v2.4.6 running in docker. Above command yields no results with grep git. Without it it looks like

    [...] 
    
      Standard modules: 83
    
    http.authentication.providers.authorizer v1.0.6
    http.handlers.authenticator v1.0.6
    security v1.0.6
    
      Non-standard modules: 3
    
      Unknown modules: 0
    
    

    Expected behavior

    A successful login

    Additional context

    Caddy logs:

    [Note: User entry follows]
    caddy_1  | {"level":"debug","ts":1643228260.8880885,"logger":"security","msg":"LDAP dialer setup succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"debug","ts":1643228260.8909764,"logger":"security","msg":"LDAP binding succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"debug","ts":1643228260.8923666,"logger":"security","msg":"LDAP search succeeded","server":"ldap://login_system_glauth_1:389","entry_count":0,"search_base_dn":"DC=[...],DC=DE,OU=[...]","search_user_filter":"(|(name=[foo])(mail=[foo]))","users":[]}
    caddy_1  | {"level":"debug","ts":1643228260.9456468,"logger":"security","msg":"user authorization sandbox","sandbox_id":"AGrfuqfC377A6TzZYt6mYPFlKR9gK3YF8b93QH11stXLMh","sandbox_secret":"Edtvxjl3AIukviHXjEjstxPimZRzFRgEdQgjKUPU","sandbox_partition":"","checkpoints":[{"name":"Authenticate with password","type":"password"}]}
    caddy_1  | {"level":"debug","ts":1643228260.9464517,"logger":"security","msg":"next user authorization checkpoint","session_id":"pAJ0OR8hQL5NuWH0638JbOpq7JozxxTp6zfjm7","request_id":"5ce045e3-cdb6-4c07-8940-a615318dca25","data":{"action":"auth","title":"Password Authentication","view":"password_auth"}}
    
    [Note: Password entry]
    caddy_1  | {"level":"debug","ts":1643228269.0140665,"logger":"security","msg":"user authorization sandbox","sandbox_id":"AGrfuqfC377A6TzZYt6mYPFlKR9gK3YF8b93QH11stXLMh","sandbox_secret":"Edtvxjl3AIukviHXjEjstxPimZRzFRgEdQgjKUPU","sandbox_partition":"password-auth","checkpoints":[{"name":"Authenticate with password","type":"password"}]}
    caddy_1  | {"level":"debug","ts":1643228269.0155284,"logger":"security","msg":"LDAP dialer setup succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"debug","ts":1643228269.01613,"logger":"security","msg":"LDAP binding succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"warn","ts":1643228269.0173078,"logger":"security","msg":"user authorization checkpoint failed","session_id":"pAJ0OR8hQL5NuWH0638JbOpq7JozxxTp6zfjm7","request_id":"3a4848b6-9f80-47c5-bca7-e8bab3a71cf2","error":"Password authentication failed. Please retry"}
    

    Structure of glauth users:

      name = "fbar"
      givenname = "foo
      sn = "bar"
      mail = "[email protected]"
      unixid = 5003
      primarygroup = 5501
      passsha256 = "foofoobarbar"
      otherGroups = [ 5551 ]
    

    glauth output:

    glauth_1      | 19:45:40.200821 Bind ▶ DEBU 025  "level"=6 "msg"="Bind request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
    glauth_1      | 19:45:40.201705 Bind ▶ DEBU 026  "level"=6 "msg"="Bind success"  "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
    glauth_1      | 19:45:40.202217 Search ▶ DEBU 027  "level"=6 "msg"="Search request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "filter"="(|(name=[foo])(mail=[foo]))" "scope"=2 "searchbasedn"="dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
    glauth_1      | 19:45:40.203287 Search ▶ DEBU 028  "level"=6 "msg"="AP: Search OK"  "filter"="(|(name=[foo])(mail=[foo]))"
    glauth_1      | 19:45:44.544377 Bind ▶ DEBU 029  "level"=6 "msg"="Bind request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
    glauth_1      | 19:45:44.544462 Bind ▶ DEBU 02a  "level"=6 "msg"="Bind success"  "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
    glauth_1      | 19:45:44.544891 Search ▶ DEBU 02b  "level"=6 "msg"="Search request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "filter"="(|(name=nobody)(mail=nobody))" "scope"=2 "searchbasedn"="dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
    glauth_1      | 19:45:44.545011 Search ▶ DEBU 02c  "level"=6 "msg"="AP: Search OK"  "filter"="(|(name=nobody)(mail=nobody))"
    
    feature ldap 
    opened by glubii 17
  • Wrong SMTP port

    Wrong SMTP port

    Your SMTP examples uses TCP 993 for SMTP, but this is IMAP (SSL). SMTP is TCP 25 (insecure or Start TLS), TCP 465 (SSL) or TCP 587 (insecure or Start TLS).

    Please also provide informations how to configure insecure, SSL and Start TLS modes.

    One example: https://raw.githubusercontent.com/greenpau/caddy-security/main/README.md

    Thank you

    breakfix 
    opened by helmut72 15
  • question: KeyCloak logout problem

    question: KeyCloak logout problem

    Hello! I deployed Caddy + Caddy-Security + KeyCloak according to your documentation. Works really good except one thing: logout.

    Steps to to produce:

    1. Open https://auth/login and press Keycloak.
    2. Fill the keycloak's login form and do login.
    3. Check /whoami and then go to /logout.
    4. Now portal redirects you to its root.
    5. Now you are logouted from portal, but not from keycloak. To check it try to repeat steps 1-4 and there won't be step 2.

    Is there any way to logout from keycloak when i open http://auth/logout?

    question oauth oauth-keycloak whoami 
    opened by scorday 9
  • Add U2F Security Key (Android phone) doesn't work

    Add U2F Security Key (Android phone) doesn't work

    /settings/mfa/add/u2f results in a proper browser QR code in both browsers Brave and Chrome. I scan it, browser passed info to the site and then it shows undefined undefined.

    image

    question mfa ui 
    opened by Loqova 4
  • Where are the (example) templates?

    Where are the (example) templates?

    https://authp.github.io/docs/authenticate/ui-features described how to override a template but gives no reference to what the template should consist of. I can't find them on disk or in this repo, but found out its apparently compiled into binaries.

    Where are the source templates used currently? There is on way to override it without knowing what should be included in a template.

    question need triage 
    opened by Loqova 5
  • Is there a way to disable some of the settings pages?

    Is there a way to disable some of the settings pages?

    I tried simply blocking the pages already but that doesn't work I guess authenticate referes to some block I cannot include such requests in. I can probably disable it with a custom theme in the frontend but Im still searching for the locatino of those theme files inside the container. And I want to disable those functions in the backend too.

    http://auth.xxxxxx.xx {
      respond /settings/sshkeys "Not accessible" 403 
      respond /settings/gpgkeys "Not accessible" 403 
      respond /settings/apikeys "Not accessible" 403 
      respond /settings/connected "Not accessible" 403
    
      authenticate with myportal
    })
    
    feature ui templates ui settings 
    opened by Loqova 6
  • Getting started documentation

    Getting started documentation

    I'm trying to set up a simple attempt to use caddy-security by just following documentation but I didnt manage yet. A few thing on my experience so far:

    1. Under the section "Getting Started" (https://github.com/greenpau/caddy-security) the video skips the installation part entirely and the config shown is outdated. As I use Caddy in docker I fixed that by switching to image https://hub.docker.com/r/androw/caddy-security.
    2. Under the section "Getting Started" (https://github.com/greenpau/caddy-security) the GIST referred to (https://github.com/authp/authp.github.io/blob/main/assets/conf/local/Caddyfile) is horribly outdated. After seeig an error referring to https://github.com/greenpau/caddy-security/issues/83 I tried to fix it manually but as it wasn't the only issue, I gave up soon after in search for a more recent config. Found a reference to other documentation on authp.github.io.
    3. The config example on https://authp.github.io/docs/authenticate/getting-started doesn't lead anywhere. "Additionally, please see issues tagged config example." just to empty search results.
    4. I see "Option 2: Dive right into configuration files in the conf" which leads me to hopefully a more up to date start local config to test with.

    I suggest in this case keeping the README on this Git almost empty and simply referring to the most recent documentation which is I guess https://authp.github.io/. Also, having a simple, easy to deploy (Docker) or one-liner command to get started with and play with will probably increase adoption of this project.

    question need triage 
    opened by Loqova 15
  • feature: ldap identity store domain MFA

    feature: ldap identity store domain MFA

    A clear and concise description of what you want the system to do.

    Multi-Factor Authentication is currently documented as limited to local identity store.

    What are the Caddyfile directives that need to be added.

    Ability to match realm as defined in ldap identity store. Not sure if this is possible today based on docs. ex:

     transform user {
            match realm my.ldap.domain
            require mfa
    }
    
    feature need triage 
    opened by rismoney 3
Releases(v1.1.14)
  • v1.1.14(Jun 20, 2022)

    • cookie: if domain and insecure specified then set for all (#124)
    • ui: add disable settings page directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.35
      • ui: generate nav menu for settings page
      • ui: format login template
      • ui: remove debug from login template
      • ui: hide login form links (greenpau/caddy-security#101, authp/authp.github.io#23)
      • ui: add apps templates - aws sso and mobile access
      • ui: minify css assets
    Source code(tar.gz)
    Source code(zip)
  • v1.1.13(Jun 13, 2022)

    • ids/ldap: add fallback roles directive (#120)
    • upgrade to github.com/greenpau/go-authcrunch v1.0.34
      • ids/ldap: add support for fallback roles (#120)
      • ui: convert sandbox template to tailwindcss
    Source code(tar.gz)
    Source code(zip)
  • v1.1.12(Jun 6, 2022)

    • ui: add meta title, author, description directives (authp/authp.github.io#31)
    • oauth: add enable logout directive (authp/authp.github.io#30)
    • upgrade to github.com/greenpau/go-authcrunch v1.0.33
      • oauth: add enable logout facilities
      • ui: convert portal and whoami templates to tailwindcss
      • ui: change go/template ref from Title to PageTitle
      • settings: fix logic for non-local identity stores
      • ui: convert register template to tailwindcss
    Source code(tar.gz)
    Source code(zip)
  • v1.1.11(Jun 3, 2022)

    • add enable id_token cookie [<cookie_name>] Caddyfile directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.32
      • oauth: add auth portal cookie for storing identity provider id_token (authp/authp.github.io#28)
      • oauth: implement ending session via oauth provider logout url
      • oauth: fix typo in javascript-based redirect
      • whoami: add custom claims to json response (greenpau/caddy-security#102)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.10(May 26, 2022)

  • v1.1.9(May 23, 2022)

    upgrade to github.com/greenpau/go-authcrunch v1.0.30

    • template/login: add login QR code handler

    qr_code_demo

    • github: add open collective funding link
    • oauth: Ability to provide scopes from the request into the security backends (#19)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.8(May 20, 2022)

    🔥All! Please ask your employers to support this project via Open Collective. 🔥

    • ui: redesign login template (moving towards TailwindCSS and jQuery for user management UI)
    • cookie: add support for domain stripping (#107)

    login_template_redesign

    Source code(tar.gz)
    Source code(zip)
  • v1.1.7(May 10, 2022)

  • v1.1.6(May 7, 2022)

    • upgrade to github.com/greenpau/go-authcrunch v1.0.27
      • idp: extract roles and groups from oauth userinfo (#93)
      • Sanitize referrer url on Generic html template (greenpau/go-authcrunch#15)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.5(Apr 24, 2022)

  • v1.1.4(Apr 18, 2022)

    • idp: add directive for icon name, text, color (doc)
    • oauth: add directive for userinfo field extraction (#87)
    • upgrade to github.com/greenpau/go-authcrunch v1.0.24
      • authorize: implement header injection of nested fields (doc)
      • oauth: add fetching of openid userinfo (#13)
      • Remediate CodeQL Issues
    Source code(tar.gz)
    Source code(zip)
  • v1.1.3(Apr 10, 2022)

  • v1.1.2(Apr 3, 2022)

    • oauth: add configuration option to for email field check (#77). If disable email claim check is present, there will be no check for the presence of email field in a token received from IdP.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.1(Apr 2, 2022)

    • upgrade to go-authcrunch v1.0.21
      • refactor auth proxy for basic and api key auth
      • add file system based messaging
      • switch from github.com/satori/go.uuid to github.com/google/uuid
    Source code(tar.gz)
    Source code(zip)
  • v1.0.19(Mar 30, 2022)

    🔥BREAKING (BUT NECESSARY) CHANGES 🔥See https://github.com/greenpau/caddy-security/issues/83#issue-1186529107

    • upgrade to github.com/greenpau/go-authcrunc v1.0.20
      • split backends to identity stores and providers
      • oauth: use first available key to validate token when kid not found (greenpau/caddy-security#77)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.18(Mar 23, 2022)

  • v1.0.17(Mar 5, 2022)

  • v1.0.16(Feb 16, 2022)

    • upgrade to github.com/greenpau/go-authcrunch v1.0.17
      • oauth: add javascript-based callback (greenpau/caddy-security#48)
      • cmd: add authdbctl connect command
      • oauth: change http client in fetchMetadataURL to use the client that uses proxy from environment (greenpau/go-authcrunch#5)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.15(Feb 12, 2022)

  • v1.0.14(Feb 11, 2022)

    • registration: add admin email Caddyfile directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.15
      • transforms: add injection of multi-level nested maps
      • registration: improve ui
      • oauth: add jwks tests (greenpau/caddy-security#48)
      • oauth: add jwks validation checks for HS and ES keys
      • oauth: add jwks support for HS and ES keys
      • oauth: add jwks support for enc usage field
      • registration: add new email templates
    Source code(tar.gz)
    Source code(zip)
  • v1.0.13(Feb 6, 2022)

    • add enable admin api Caddyfile directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.14
      • cookie: add multi-domain config for single portal (greenpau/caddy-security#43)
      • admin api: add metadata endpoint
      • config: add admin api config
      • messaging: modify email format (greenpau/caddy-security#26)
      • bugfix: fix authorization bypass issue (greenpau/caddy-security#44)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.12(Feb 2, 2022)

    upgrade to github.com/greenpau/go-authcrunch v1.0.13

    • kms: add crypto default key kid handling
    • sandbox: add logging for failed auth attempts (greenpau/caddy-security#42)
    • registration: add email notification capability
    • saml: add upn and oid metadata ms attributes
    Source code(tar.gz)
    Source code(zip)
  • v1.0.11(Jan 31, 2022)

    • Add login hint Caddyfile directive
    • registration: add email provider directive
    • add placeholder handling for ui and registration
    • upgrade to github.com/greenpau/go-authcrunch v1.0.12
      • Implement forwarding of login hint to auth URL
      • config: add provider and credentials checks for user registration
      • registration: modify registration flow and ui template
    Source code(tar.gz)
    Source code(zip)
  • v1.0.10(Jan 29, 2022)

  • v1.0.9(Jan 29, 2022)

  • v1.0.8(Jan 28, 2022)

  • v1.0.7(Jan 28, 2022)

    🔥MUST UPGRADE! 🔥

    • bugfix: empty placeholders in crypto configs
    • upgrade to github.com/greenpau/go-authcrunch v1.0.9
      • acl: add match any and negative match logic, no match role foo
      • acl: add support for field exists and not exists, e.g. field role exists or field metadata not exists (greenpau/caddy-security#5)
      • fix: custom css and js directive handling (greenpau/caddy-security#33)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.6(Jan 24, 2022)

    • Added verbose error messages for unauthorized connections. It captures source IP address in HTTP requests and source IP address in TCP connections.
    • upgrade to github.com/greenpau/go-authcrunch v1.0.8
      • validator: pass requests.AuthorizationRequest to downstream functions
      • validator: add user metadata for failed authorizations
    Source code(tar.gz)
    Source code(zip)
  • v1.0.5(Jan 24, 2022)

  • v1.0.4(Jan 24, 2022)

Owner
Paul Greenberg
Love tinkering with tech! Current interests are VR, Oculus, Unity
Paul Greenberg
manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow

oidc-wireguard-vpn manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow Requirements Linux WireGuard nftabl

Kurochan 26 Apr 27, 2022
an stateless OpenID Connect authorization server that mints ID Tokens from Webauthn challenges

Webauthn-oidc Webauthn-oidc is a very minimal OIDC authorization server that only supports webauthn for authentication. This can be used to bootstrap

Arian van Putten 13 May 16, 2022
Golang OpenID Connect Client

adhocore/goic GOIC, Go Open ID Connect, is OpenID connect client library for Golang. It supports the Authorization Code Flow of OpenID Connect specifi

Jitendra 20 May 20, 2022
An OpenID Connect reference implementation in Golang

oidc-go-client An OpenID Connect reference implementation in Golang Getting started First clone the repository: git clone https://github.com/yufuid/oi

Yufu Identity 2 Dec 3, 2021
An implementation for an OpenID Connect Provider in Go.

oidc-go This is an implementation of an OpenID Connect Provider (OP) as defined by OpenID that is meant to be a full, production ready OP. Features: E

Anish Sinha 4 Jun 11, 2022
A cli to asist developers in development and testing locally against OpenId Connect.

oidc-cli oidc-cli assists developers in automating authorization flow for local development and testing purpose. Installation Download the program fro

null 0 Feb 7, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 33 Jun 3, 2022
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 3.2k Jun 23, 2022
🔥 Golang Rest Api with basic JWT Authentication and Basic Crud Operations.

?? Golang Rest Api with basic JWT Authentication and Basic Crud Operations.

Junaid Javed 13 Jun 15, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Xenit AB 3 Dec 22, 2021
A Go library for doing header-based OAuth over HTTP or HTTPS.

Installation goinstall github.com/alloy-d/goauth Usage import ( "github.com/alloy-d/goauth" "os" ) func someFuncThatDoesStuffWithOAuth() (er

Adam Lloyd 24 Sep 2, 2020
Goauth - Basic username password cookie based authentication with Go Lang

goauth [WIP] Basic username password cookie based authentication with Go Lang Overview Use a Postgres DB to store Sign-in and Sign-up info Redis for c

Joseph Chen 0 Jan 4, 2022
GOAuth An Oauth consumer Written in Go V 0.0.5

GOAuth ====== This is the source code repository for the GOAuth an OAuth consumer written on the Go programming language. Copyright 2010 The GOAuth

null 50 Feb 11, 2021
[NO LONGER MAINTAINED} oauth 2 server implementation in Go

hero hero is a feature rich oauth 2 server implementation in Go. Features User account management Client management oauth 2 rfc 6749 compliant Configu

Geofrey Ernest 214 Feb 9, 2022
OAuth 1.0a implementation in Go

Package oauth1a Summary An implementation of OAuth 1.0a in Go1. API reference Installing Run: go get github.com/kurrik/oauth1a Include in your source

Arne Roomann-Kurrik 23 Sep 17, 2021
OAuth 1.0 implementation in go (golang).

OAuth 1.0 Library for Go (If you need an OAuth 2.0 library, check out: https://godoc.org/golang.org/x/oauth2) Developing your own apps, with this libr

Matt Jones 258 Jun 16, 2022
A library for performing OAuth Device flow and Web application flow in Go client apps.

oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditionally,

GitHub CLI 325 Jun 12, 2022